Keto relations

[viktorgt]

No description provided.

[johannesvollmer]

formatting: use triple back tick with ts suffix to enable syntax highlighting.

example:

    ```ts
       class User {}

[johannesvollmer]

up to this point, the flow of the text was excellent. it was a fascinating story about the Google paper. however, I personally struggled at this point.

I am confused because we learnt about the relation tuples earlier, but this code seems like it has nothing to do with that. why are we not using tuples here? what is the relationship between the tuples and this code? is this code for a specific tuple? what is the purpose of this code? maybe the purpose is to define which relation tuples are legal?

[johannesvollmer]

I thought we would insert relations into a database and it would perform a graph theory algorithm to determine whether a connection across multiple relationtuples exists, that connects the user and the document. however this looks like some good simple old boolean permission checks

[viktorgt]

The OPL incorporates both the model (namespaces), and the rules which evaluate permissions by navigating through relations. However, OPL itself does not perform the actual relation traversal. Instead, this is handled internally by Keto. While Keto doesn't directly utilize TypeScript, it operates purely on Go. The OPL is parsed by Keto during its initialization.

This approach is somewhat different from the original modeling presented in the Google Zanzibar paper. That modeling was expressed in a more scientific manner, using mathematical notations and representations. The audience wasn't the everyday developers but more advanced researchers and professionals.

The motivation to use TypeScript (TS) for OPL was to make it more developer-friendly. TypeScript is a widely-recognized language with extensive editor support, making it a more accessible and familiar tool for many developers. This adoption aimed to simplify the tooling and make it easier for the majority of developers to understand and work with.

[johannesvollmer]

I suggest that you tell the reader the goal of the code before you show the code. for example:

"the following code defines a simple permission pattern, which keto then uses to build relation tuples internally." or something similar :)

[viktorgt]

I adapted it a bit and added a chapter that handles the creation of relations explicitly.

[viktorgt]

#5

[johannesvollmer]

much better in my opinion, thanks:)

[johannesvollmer]

I thought we would insert relations into a database and it would perform a graph theory algorithm to determine whether a connection across multiple relationtuples exists, that connects the user and the document. however this looks like some good simple old boolean permission checks

[johannesvollmer]

a title is one of the hardest parts about a blog post. here is some feedback:

I think the title could be catchier, to make more people klick on it.

this story about the Google paper is fascinating. maybe the title can be a little more engaging using that story as a hook?

ideas

• how google drive checks permission across millions of documents in 10ms
• learning from google: relation-based permissions scaled to millions of users
• permissons untangled: using relations instead of [old approach]

[viktorgt]

Actually, this was the original title: From Google's Zanzibar to Ory Keto: Exploring the Evolution of Authorization Frameworks

But from my perspective that has too much focus on google zansibar, while it is quite interesting part, the main point of the article is to make the integration clear and the zansibar part was just to explain its roots.

Maybe I should think about it.

[viktorgt]

• Google's Zanzibar and Beyond: A Deep Dive into Relation-based Authorization
• Standing on the Shoulders of Giants: Relation-Based Authz Inspired by Google Zanzibar

[johannesvollmer]

I think your last suggestions are nice